Windows 10 'Creators Update' Ransomware Security Features

Microsoft has published details about how the Windows 10 "creators update" (version 1703, released in April) provides protection against ransomware, including last month's infamous "WannaCrypt" (or "WannaCry") ransomware outbreak.

Windows 10 machines weren't subject to the WannaCry ransomware outbreak, according to Microsoft's 13-page retrospective article, announced here. WannaCry took advantage of an exploit in Microsoft's long-outdated Server Message Block 1 (SMB 1) Windows protocol to proliferate across networks, using purported U.S. National Security Agency attack code. Exploiting the SMB 1 flaw wasn't a typical ransomware strategy, but it did cause havoc across networks, such as the U.K.'s National Health Service hospitals and other institutions around the world. Ransomware more typically spreads via e-mail attachments, as well as Web sites that run malicious code.

Windows 7 Was Targeted
Early reports about the WannaCry outbreak had suggested that unsupported Windows operating systems, such as Windows XP, were primarily subject to the attack. Microsoft, though, offered a different view. Only users of Windows 7 and Windows Server 2008 systems that lacked a March security patch (MS17-010) were subject to the WannaCry attack, according to Microsoft's article:

Windows 10 customers emerged unscathed in the aftermath of the WannaCrypt attack. The exploit used by the ransomware was meant to work only against unpatched Windows 7 and Windows Server 2008 systems. More importantly, however, Windows 10 has built-in security technologies that can help defend against WannaCrypt.

However, unpatched Windows 7 and Windows Server 2008 systems that used the Microsoft Security Essentials antimalware program (now called "Windows Defender Antivirus") were still protected against the WannaCry attack, according to Microsoft. Those antimalware solutions use signals from "billions of downloads, web pages, emails and endpoints" to detect new malware. This approach, referred to as the Microsoft "Intelligent Security Graph," blocks about "99.992%" of malware, the article claimed.

Windows 10 Creators Update Protections
The article claimed that Windows 10 version 1703, the creators update, has specific protections for fending off malware attacks. For instance, Windows Defender has a new behavior in which it will suspend a suspicious file and run it though a "controlled detonation chamber" service to check for malware. Windows Defender uses an Antimalware Scan Interface technology in the creators update to detect when JavaScript or Visual Basic script is "downloading and executing a ransomware payload."

Microsoft also touted protections in its Edge browser in the Windows 10 creators update. Pages are opened in "container sandboxes" as a protection against malicious content. Browser downloads are checked against a reputation-checking service. Users also have control over whether Flash-based content can run on a Web site they visit, which Microsoft sees as potential protection against ransomware.

Some of the protections may require using an upper-end product version of Windows 10 or subscribing to an additional service. Security is a large part of Microsoft's upsell practices.

For instance, the Windows 10 creators update also supports Device Guard, a Windows 10 Enterprise edition feature. Device Guard is white-list protection scheme that lets organizations specify policies such that only trusted applications can run. It applies the white list to browser plug-ins and add-ins as well.

Device Guard uses CPU hardware virtualization technologies to protect against bad drivers or system files, too. However, tapping that capability requires having specific CPU virtualization technologies in place (AMD-V or Intel VT-x technologies), along with firmware that supports second-level address translation (SLAT) technology.

Microsoft also claimed that its Windows Defender Advanced Threat Protection service, a post-breach analysis service, is enhanced with the Windows 10 creators update to more quickly identify ransomware. Windows Defender Advanced Threat Protection is sold as a separate service for enterprises, though. It's not the same thing as Windows Defender Antivirus, which is a "real-time" antimalware solution that's included with all Windows 10 versions.

Researcher Views
In a proof-of-concept study, Albuquerque, N.M.-based security research firm RiskSense tested Windows 10 x64 Version 1511, first released in November 2015, to check if it's still possible to use the leaked hacking code against it. The study, "EternalBlue: Exploit Analysis and Port to Microsoft Windows 10," available here, described version 1511 (code-named "Threshold 2") as the last potentially vulnerable version of Windows 10 for this particular exploit, although there are workaround protections for it.

In contrast, there are no workarounds to protect older Windows versions, according to the RiskSense report.

"Unfortunately, there are no working mitigations for Microsoft Windows Server 2003 (XP), Server 2008 (Vista/7), or Server 2012 (8/8.1)," the report stated. "While certain versions do have mitigations enabled, the mitigations in place have straightforward workarounds."

RiskSense made changes to the exploit code as part of its proof-of-concept test. Such "porting" of the code is still a possibility, the security firm warned.

"This research confirms that porting the original exploit to more versions of Microsoft Windows, while difficult, is not an impossible feat," the study concluded.